Security-conscious organizations are complementing passwords with an extra layer of technology by combining something you know (your password) with something you have. An example of this underlying concept, known as two-factor authentication, is the use of a private digital certificate that the endpoint must see before it unlocks.

Users put digital certificates on devices such as thumb drives that plug directly into a USB port, or on smart cards that communicate with a separate hardware reader.

Recently, wearable technology has added a new twist. Some apps now enable smart watches to verify their wearers automatically over Bluetooth connections, letting a user automatically unlock a computer just by sitting down at it.

More advanced is fingerprint scanning, which authenticates the user by skipping from “something you have” to “something you are.”

Storing Secrets

Although proven, fingerprint scanning depends on where the underlying software stores the fingerprint credentials. In the past, some scanners have stored fingerprint information openly on the hard drive, leaving users vulnerable to attack by thieves who can physically access the device.

As with any other user “secret,” such as a password or a digital certificate, the smartest way to protect fingerprint credentials is in hardware designed for secure storage. Consequently, one important tool underpins many enhanced endpoint protection mechanisms today: the Trusted Platform Module (TPM).

The TPM is a hardware “vault” that stores passwords, digital certificates and other secrets. Based on a specification created by the Trusted Computing Group, this cryptographic chip is found in most modern endpoint computers.

In physically secure hardware, the TPM stores user secrets such as encryption keys that Windows-based computers can use to encrypt data. It offers more robust security protection than storing secrets in software or on a hard drive, where they might be retrieved using malware or hardware scanners.

Endpoint access security systems that store private information in the TPM are more secure than those that store it on easy-to-find places on the hard disk, such as the Windows registry. Most thieves that make off with your machine will find it impossible to crack the TPM chip, which is why Microsoft made TPM 2.0 support mandatory for devices running Windows 10.

Hello Adds Security

Microsoft had the TPM in mind when it designed Windows Hello, an even more intuitive technology. First introduced in Windows 10, Hello adds two authentication mechanisms — iris recognition and facial recognition — alongside fingerprint scanning.

Facial recognition on Hello represents a leap forward in security. Early technologies failed to distinguish between the actual face and a photo, raising the potential for hackers to easily fool the system. Microsoft solved this problem using infrared cameras, which succeeded for two reasons.

First, photographs don’t show up on infrared cameras. Second, infrared scans can be performed even under poor lighting.

The downside is that devices need dedicated infrared cameras to support facial recognition with Windows Hello.

Passwords are still used in Windows accounts, but these are typically applied only if facial recognition doesn’t work.

The movement toward more advanced forms of endpoint security raises a question, however: Are these systems more secure than password access? Unless you’re using a strong password that isn’t replicated anywhere else, probably. Although security agencies might be able to crack advanced endpoint protection, the average laptop thief won’t.

Researchers have successfully attacked TPM chips, just as they have found ways around fingerprint readers. But the technology keeps evolving, and the attacks are getting harder to execute.

Agility, faster decision making, and smarter innovation. When you partner with Dell Technologies, we provide you with the transformational devices, processes and services you need to modernize your data center, drive progress, and set the pace in the digital business era.